Hi, I'm new to rsyslog, trying to get something fairly basic to work but failing to follow the documentation it seems.
I use fail2ban which is hard-coded to output its syslog at facility "daemon". I could edit the source, but would rather skin the cat another way. daemon.* obviously has lots of other stuff (DHCP, Automount, etc) and I'd like to filter it. I want to send all fail2ban logs to a separate file and I want to send the lines specific to ban/unbans to a remote server. What I've got in my rsyslog.conf is: #Log all fail2ban locally :syslogtag, contains, "fail2ban" daemon.* /var/log/fail2ban.log #Log bans & unbans to remote :msg, contains, "ssh-slowattack" daemon.* @@10.0.0.1:5000 What I get with this is a blank fail2ban.log and *all* daemon facility events on the remote server. Example log portion: <30>Jan 31 09:08:55 testserver fail2ban.jail : INFO Jail 'fail2ban' started <28>Jan 31 09:11:38 testserver fail2ban.actions: WARNING [ssh-slowattack] Ban 10.0.0.2 <28>Jan 31 09:17:05 testserver fail2ban.actions: WARNING [ssh-slowattack] Unban 10.0.0.2 <30>Jan 31 10:39:37 testserver dhclient: DHCPREQUEST on eth0 to 10.10.0.1 port 67 Rsyslog version, which I can't currently change, is rsyslog-3.22.1-7.el5 Thanks James _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
